MicrosoftHi neelam_n
There are differences between data I receive through MicroFocus Logger and the CommonSecurityLog schema.
For instance column name versus CEF Key name and spelling and case of names. This is important as KQL is case sensitive.
E.g. (bold=CEF, first key name, then full name; italic is CSL)
DeviceAction versus act versus deviceAction
ApplicationProtocol versus app versus applicationProtocol
etc.
and also differences in data types
DeviceTranslatedAddress(string) versus destination Translated Address versus device Translated Address (IPv4 address)
DestinationMACAddress(string) versus dmac versus destinationMacAddress(MAC Address)
StartTime(string) versus start versus startTime(DateTime)
etc.
For these examples it will fit as the CEF datatype can always be put in a string.
But these are more dangerous:
DeviceCustomNumber1(int) versus cn1 versus deviceCustomNumber3(long) (as I think an int is 32 bits and a long is 64)
ExternalID(int) versus externalId versus externalId(string[40]) (a string of potential length 40 chars will never fit in an int.)
etc.
